EFF Analysis Of The Provisions Of The USA PATRIOT Act

That Relate To Online Activities (Oct 31, 2001)

Introduction

On October 26, 2001, President Bush signed the USA Patriot Act (USAPA)
into law. With this law we have given sweeping new powers to both
domestic law enforcement and international intelligence agencies and
have eliminated the checks and balances that previously gave courts the
opportunity to ensure that these powers were not abused. Most of these
checks and balances were put into place after previous misuse of
surveillance powers by these agencies, including the revelation in 1974
that the FBI and foreign intelligence agencies had spied on over 10,000
U.S. citizens, including Martin Luther King.

A Rush Job

The bill is 342 pages long and makes changes, some large and some
small, to over 15 different statutes. This document provides
explanation and some analysis to the sections of the bill relating to
online activities and surveillance. Other sections, including those
devoted to money laundering, immigration and providing for the victims
of terrorism, are not discussed here.

Yet even just considering the surveillance and online provisions of
the USAPA, it is a large and complex law that had over four different
names and several versions in the five weeks between the introduction
of its first predecessor and its final passage into law. While
containing some sections that seem appropriate -- providing for victims
of the September 11 attacks, increasing translation facilities and
increasing forensic cybercrime capabilities -- it seems clear that the
vast majority of the sections included have not been carefully studied
by Congress, nor was sufficient time taken to debate it or to hear
testimony from experts outside of law enforcement in the fields where
it makes major changes. This concern is amplified because several of
the key procedural processes applicable to any other proposed laws,
including inter-agency review, the normal committee and hearing
processes and thorough voting, were suspended for this bill.

Were our Freedoms the Problem?

The civil liberties of ordinary Americans have taken a tremendous blow
with this law, especially the right to privacy in our online
communications and activities. Yet there is no evidence that our
previous civil liberties posed a barrier to the effective tracking or
prosecution of terrorists. In fact, in asking for these broad new
powers, the government made no showing that the previous powers of law
enforcement and intelligence agencies to spy on US citizens were
insufficient to allow them to investigate and prosecute acts of
terrorism. The process leading to the passage of the bill did little to
ease these concerns. To the contrary, they are amplified by the
inclusion of so many provisions that, instead of aimed at terrorism,
are aimed at nonviolent, domestic computer crime. In addition, although
many of the provisions facially appear aimed at terrorism, the
Government made no showing that the reasons they failed to detect the
planning of the recent attacks or any other terrorist attacks were the
civil liberties compromised with the passage of USAPA.

Executive Summary

Chief Concerns

The EFF's chief concerns with the USAPA include:

Expanded Surveillance With Reduced Checks and Balances.
USAPA expands all four traditional tools of surveillance -- wiretaps,
search warrants, pen/trap orders and subpoenas. Their counterparts
under the Foreign Intelligence Surveillance Act (FISA) that allow
spying in the U.S. by foreign intelligence agencies have similarly been
expanded. This means:

Be careful what you put in that Google search.
The government may now spy on web surfing of innocent Americans,
including terms entered into search engines, by merely telling a judge
anywhere in the U.S. that the spying could lead to information that is
"relevant" to an ongoing criminal investigation. The person spied on
does not have to be the target of the investigation. This application
must be granted and the government is not obligated to report to the
court or tell the person spied upon what it has done.

Nationwide roving wiretaps.
FBI and CIA can now go from phone to phone, computer to computer
without demonstrating that each is even being used by a suspect or
target of an order. The government may now serve a single wiretap, FISA
wiretap or pen/trap order on any person or entity nationwide,
regardless of whether that person or entity is named in the order. The
government need not make any showing to a court that the particular
information or communication to be acquired is relevant to a criminal
investigation. In the pen/trap or FISA situations, they do not even
have to report where they served the order or what information they
received. The EFF believes that the opportunities for abuse of these
broad new powers are immense. For pen/trap orders, ISPs or others who
are not named in the do have authority under the law to request
certification from the Attorney General's office that the order applies
to them, but they do not have the authority to request such
confirmation from a court.

ISPs hand over more user information.
The law makes two changes to increase how much information the
government may obtain about users from their ISPs or others who handle
or store their online communications. First it allows ISPs to
voluntarily hand over all "non-content" information to law enforcement
with no need for any court order or subpoena. sec. 212. Second, it
expands the records that the government may seek with a simple subpoena
(no court review required) to include records of session times and
durations, temporarily assigned network (I.P.) addresses; means and
source of payments, including credit card or bank account numbers.
secs. 210, 211.

New definitions of terrorism expand scope of surveillance.
One new definition of terrorism and three expansions of previous terms
also expand the scope of surveillance. They are 1) § 802 definition of
"domestic terrorism" (amending 18 USC §2331), which raises concerns
about legitimate protest activity resulting in conviction on terrorism
charges, especially if violence erupts; adds to 3 existing definition
of terrorism (int'l terrorism per 18 USC §2331, terrorism transcending
national borders per 18 USC §2332b, and federal terrorism per amended
18 USC §2332b(g)(5)(B)). These new definitions also expose more people
to surveillance (and potential "harboring" and "material support"
liability, §§ 803, 805).

Overbreadth with a lack of focus on terrorism. Several provisions of the USAPA have no apparent connection to preventing terrorism. These include:

Government spying on suspected computer trespassers with no need for court order. Sec. 217.

Adding samples to DNA database for those convicted of "any crime of violence."
Sec. 503. The provision adds collection of DNA for terrorists, but then
inexplicably also adds collection for the broad, non-terrorist category
of "any crime of violence."

Wiretaps now allowed for suspected violations of the Computer Fraud and Abuse Act.
This includes anyone suspected of "exceeding the authority" of a
computer used in interstate commerce, causing over $5000 worth of
combined damage.

Dramatic increases to the scope and penalties of the Computer Fraud and Abuse Act.
This includes: 1) raising the maximum penalty for violations to 10
years (from 5) for a first offense and 20 years (from 10) for a second
offense; 2) ensuring that violators only need to intend to cause damage
generally, not intend to cause damage or other specified harm over the
$5,000 statutory damage threshold; 3) allows aggregation of damages to
different computers over a year to reach the $5,000 threshold; 4)
enhance punishment for violations involving any (not just $5,000)
damage to a government computer involved in criminal justice or the
military; 5) include damage to foreign computers involved in US
interstate commerce; 6) include state law offenses as priors for
sentencing; 7) expand definition of loss to expressly include time
spent investigating, responding, for damage assessment and for
restoration.

Allows Americans to be More Easily Spied Upon by US Foreign Intelligence Agencies.
Just as the domestic law enforcement surveillance powers have expanded,
the corollary powers under the Foreign Intelligence Surveillance Act
have also been greatly expanded, including:

General Expansion of FISA Authority.
FISA authority to spy on Americans or foreign persons in the US (and
those who communicate with them) increased from situations where the
suspicion that the person is the agent of a foreign government is "the"
purpose of the surveillance to anytime that this is "a significant
purpose" of the surveillance.

Increased information sharing between domestic law enforcement and intelligence.
This is a partial repeal of the wall put up in the 1970s after the
discovery that the FBI and CIA had been conducting investigations on
over half a million Americans during the McCarthy era and afterwards,
including the pervasive surveillance of Martin Luther King in the
1960s. It allows wiretap results and grand jury information and other
information collected in a criminal case to be disclosed to the
intelligence agencies when the information constitutes foreign
intelligence or foreign intelligence information, the latter being a
broad new category created by this law.

FISA detour around federal domestic surveillance limitations; domestic detour around FISA limitations.
Domestic surveillance limits can be skirted by the Attorney General,
for instance, by obtaining a FISA wiretap against a US person where
"probable cause" does not exist, but when the person is suspected to be
an agent of a foreign government. The information can then be shared
with the FBI. The reverse is also true.

Future Actions

The EFF urges the following:

That law enforcement and the intelligence
agencies will use these new powers carefully and limit their use to
bona fide investigations into acts of terrorism.

That if these laws are misused to spy on innocent people,
that the courts will appropriately punish those who misuse them and
that Congress will reexamine its decision to grant such broad,
unchecked powers.

That if these laws are misused to harm the rights of
ordinary Americans involved in low level crimes unrelated to terrorism,
the courts will refuse to allow evidence collected through use of these
broad powers to be used in prosecuting them.

That the many vague, undefined terms in the USAPA will be
defined in favor of protecting civil liberties and privacy of
Americans. These include:

the definition of "content" of e-mails which cannot be retrieved without a warrant.

the definition of "without authority" in the computer trespass
statute to include only those who have intentionally broken into
computers that they have no relationship with, including educational
institutions and other organizations that may not have formal
"contractual" relationships with users.

That ISPs and others served with "roving" wiretaps and other
Orders that do not specify them will require that the Attorney General
give them certification that the order properly applies to them.

That Congress will require the law enforcement and
intelligence agencies who operate under provisions of the USAPA that
are set to expire in December, 2005, to provide them with comprehensive
reports about their use of these new powers to enable Congress to
reasonably determine whether these provisions should be renewed. (see
related EFF statement)

I. Expanded Surveillance with Reduced Checks and Balances

A. A Brief, Incomplete Introduction to Electronic Surveillance under US Law.

US law has provided four basic mechanisms for surveillance on people
living in the United States: interception orders authorizing the
interception of communications; search warrants authorizing the search
of physical premises and seizure of tangible things like books or other
evidence; "pen register" and "trap-and-trace device" orders (pen/trap
orders), which authorize the collection of telephone numbers dialed to
and from a particular communications device; and subpoenas compelling
the production of tangible things, including records. Each mechanism
has its own proof standards and procedures based on the Constitution,
statutes, or both.

US law also provides two separate "tracks" with differing proof
standards and procedures for each of these mechanisms depending upon
whether surveillance is done by domestic law enforcement or foreign
intelligence. All of these have been expanded by the USAPA.

For instance, when surveillance is conducted for domestic law
enforcement purposes, the probable cause standard of the Fourth
Amendment applies to interception orders and search warrants. But a
court order compelling an ISP to produce e-mail logs and addresses of
past e-mail correspondents uses a lower standard: the government must
show specific and articulable facts showing reasonable grounds to
believe that the records are relevant and material to an ongoing
criminal investigation. A pen/trap order uses an even lower standard:
the government need only tell the court that the surveillance is
relevant to a criminal investigation. The standard for subpoenas is
also very low.

Where foreign intelligence surveillance is concerned, however, the
standard of proof and procedures for each mechanism has been different.
One key difference is that foreign intelligence surveillance is not
based on the concept of criminality. Under the Foreign Intelligence
Surveillance Act (FISA), the key issue is whether the intended
surveillance target is an "agent of a foreign power" or a "foreign
power." Only if the target is a U.S. citizen or permanent resident
alien must the government show probable cause of criminality.

Second, FISA allows a secret court to authorize US intelligence
agencies to conduct surveillance using each of the four basic
mechanisms listed above. For instance, FISA interception orders
involving U.S. persons are issued by the secret court based on an
application from the Attorney General stating reasons to believe that
the surveillance target is an agent of a foreign power or a foreign
power, certifying that "the purpose" of the surveillance is to gather
foreign intelligence information, and several other facts and
representations. The secret court's role here, however, is quite
limited: it is not supposed to "second-guess" the government's
certifications or representations. (Unsurprisingly, the secret FISA
court has only denied one application in its over twenty-year
existence.) Moreover, unlike ordinary interception orders, FISA does
not require reports to the court about what the surveillance found; no
reports of what is being sought or what information is retrieved are
ever available to the public. Thus, the secret court's only practical
accountability is in a district court when a surveillance target is
prosecuted and seeks to suppress the fruits of FISA surveillance.

FISA's requirements are even weaker if the electronic surveillance
is directed solely at means of communications used exclusively between
or among foreign powers and when it is unlikely that communications to
which a U.S. person is a party will be intercepted; in such cases,
surveillance may proceed for up to a year without a court order.

Immediately after the September 11 attacks, electronic surveillance was
conducted pursuant to FISA orders. There have been no reports that the
limitations of FISA power posed any problems for the government.

Domestic Law Enforcement

Foreign Intelligence Surveillance

1. Intercept Orders.

Title III (named after the section of the original legislation, the
Omnibus Crime Control and Safe Streets Act of 1968) surveillance is a
traditional wiretap that allows the police to bug rooms, listen to
telephone conversations, or get content of electronic communications in
real time.

Obtained after law enforcement makes a showing to a court
that there is "probable cause" to believe that the target of the
surveillance committed one of a special list of severe crimes.

Law enforcement must report back to the court what it discovers.

Up to 30 days; must go back to court for 30-day extensions

(Courts do not treat unopened e-mail at ISPs as real-time communications.)

1. FISA Intercept Orders.

Secret Court. No public information about what surveillance
requested or what surveillance actually occurs, except for a raw annual
report of number of requests made and number granted (the secret court
has only refused one request)

Previous standard was certification by Attorney General
that "the purpose" of an order is a suspicion that the target is a
foreign power or an agent of a foreign power.

Attorney General is not required to report to the court what it does.

Up to 90 days, or 1 year (if foreign power)

2. Pen/Trap.

Pen/Trap surveillance was based upon the physical wiring of the
telephone system. It allowed law enforcement to obtain the telephone
numbers of all calls made to or from a specific phone.

Allowed upon a "certification" to the court that the information is relevant to an ongoing criminal investigation.

Court must grant if proper application made

Does
not require that the target be a suspect in that investigation and law
enforcement is not required to report back to the court.

Prior to USAPA there had been debate about how this authority is to be applied in the Internet context.

2. FISA Pen/Trap.

Previous FISA pen/trap law required not only showing of relevance but
also showing that the communications device had been used to contact an
"agent of a foreign power."

While this exceeds the showing under the ordinary pen/trap statute,
such a showing had function of protecting US persons against FISA
pen/trap surveillance.

3. Physical search warrants

Judicial finding of probable cause of criminality; return on
warrant. Previously, agents were required at the time of the search or
soon thereafter to notify person whose premises were searched that
search occurred, usually by leaving copy of warrant.
USAPA makes it easier to obtain surreptitious or "sneak-and-peek"
warrants under which notice can be delayed.

3. FISA Physical search warrants

See FISA 50 USC § 1822. USAPA extends duration of physical searches.

Under previous FISA, Attorney General (without court order) could authorize physical searches
for up to one year of premises used exclusively by a foreign power if unlikely that US
person will be searched; minimization required. A.G. could authorize such searches up to
45 days after judicial finding of probable cause that US target is or is an agent of a
foreign power; minimization required, and investigation may not be based solely on
First Amendment-protected activities.

4. Subpoenas for stored information.

Many statutes authorize subpoenas; grand juries may issue subpoenas as
well. EFF's main concern here has been for stored electronic
information, both e-mail communications and subscriber or transactional
records held by ISPs. Subpoenas in this area are governed by the
Electronic Communications Privacy Act (ECPA).

4. FISA subpoenas

Previously, FISA authorized collection of business records in very
limited situations, mainly records relating to common carriers,
vehicles or travel, and only via court order.

USAPA permits all "tangible things," including business records, to be obtained via a subpoena (no court order).

Domestic Law Enforcement

Foreign Intelligence Surveillance

II. Increased Surveillance Authority

The USAPA removes many of the checks and balances that prevented both
police and the foreign intelligence agencies from improperly conducting
surveillance on US citizens who are not involved in criminal or terrorist
activity. For Internet users, it opens the door for widespread surveillance
of web surfing, e-mails and peer to peer systems. In addition, the
protections against the misuse of these authorities -- by the foreign
intelligence agencies to spy on US citizens and by law enforcement to use
foreign intelligence authority to exceed their domestic surveillance authority --
have been greatly reduced.

A. Law enforcement intercept orders (Wiretaps)

Wiretaps (for telephone conversations) can only be issued for
certain crimes listed in 18 USC §2516. USAPA adds to this list. This
restriction has never applied to interception of electronic
communications.

1. Adds Terrorism.

USAPA sec. 201 adds terrorism offenses (Note: this is probably
redundant since list already included most if not all terrorist acts
--e.g., murder, hijacking, kidnapping, etc.)

B. Law enforcement search warrants.

1. Single-jurisdiction search warrants for terrorism and for electronic evidence.

In general, search warrants must be obtained within a judicial
district for searches in that district. Fed.R.Crim.Pro. 41. USAPA
relaxes this rule. USAPA sec. 219 Adds terrorist investigations to the
list of items where single-jurisdiction search warrants may be issued.
Allows issuance in any district in which activities related to
terrorism may have occurred for search of property or person within or
outside the district. USAPA sec. 220. Once a judge somewhere approves a
warrant for seizing unopened e-mail less than 180 days old, that order
can be served on any ISP/OSP or telecommunications company nationwide,
without any need that the particular service provider be identified in
the warrant.

2. "Sneak-and-peek" warrants greatly expanded.

USAPA sec. 213. Can delay notification for "a reasonable period" and
can be "extended for good cause shown" to court for any wire or
electronic communication or tangible property. Problematic because
notice to a searched person is a key component of Fourth Amendment
reasonableness.

C. Law enforcement Pen/Trap orders

Pen/trap orders are issued by a court under a very low standard; USAPA
does not change this standard. USAPA instead expands the reach of
pen/trap orders.

USAPA sec. 216 modifies 18 USC § 3121(c) to expressly include
routing, addressing information, thus expressly including e-mail and
electronic communications. "Contents" of communications excluded, but
USAPA does not define what it includes (dialing, routing, addressing,
signalling information) or what it excludes (contents). Serious
questions about treatment of Web "addresses" and other URLs that
identify particular content. DOES NOT SUNSET.

Applies to those not named (nationwide). Previously, pen/trap orders
limited by court's jurisdiction, so had to be installed in judicial
district. Now, court shall enter ex parte order authorizing use
anywhere within the US if court has jurisdiction over crime being
investigated and attorney for US Government has certified that
information "likely to be obtained" is "relevant to an ongoing criminal
investigation." Order applies to any provider "whose assistance may
facilitate the execution of the order, " whether or not within the
jurisdiction of the issuing court.
But if entity is not named, may require that US attorney provide
written or electronic certification that the order applies to the
person or entity being served. DOES NOT SUNSET.

IF government agency uses its own technology (e.g., Carnivore), then
and "audit trail" is required, e.g., 30 day report back to court.

Expands records that can be sought without a court order to include:
records of session times and durations, temporarily assigned network
addresses; means and source of payments, including any credit card or
bank account number.

Allows disclosure of customer records by the service provider on the same basis that it currently allows content.

Expands "emergency" voluntary disclosure to government of both
content and customer records if reason to believe immediate danger of
death or serious physical injury. Also expands ECPA 2703(d)
court-ordered mandatory disclosure to government. USAPA Sec. 212.

2. USAPA sec. 211. Reduction of Privacy for Cable Records.

Previously, the Cable Act had mandated strong privacy protection for customer records of
cable providers; USAPA overrides these protections for customer records related to
telecommunications services. This is a major change because several courts have already
held that these privacy protections don't apply for telecommunications services.

E. Information sharing between law enforcement and intelligence community

Because foreign intelligence surveillance does not require probable
cause of criminality and because of the fear that foreign intelligence
surveillance aimed at foreign agents would violate the rights of US
persons, the law has tried to keep foreign intelligence surveillance
(including evidence gained therefrom) separate from law enforcement
investigations. USAPA greatly blurs the line of separation between the
two.

1. Easier to Use FISA authority for Criminal Investigations.

USAPA Sec. 218 Foreign intelligence gathering now only needs to be
"a significant purpose" not "the purpose" (edits to 50 USC §
1804(a)(7)(b), and 1823 (a)(7)(B)). FISA court only looks to see that
certifications present and are not "clearly erroneous".

Courts have said that it is not the function of the courts to "second guess" the certifications.

3. Foreign Intelligence Information.

New category of information that can be disclosed to foreign intelligence agents.

Any info, whether or not concerning a US person, that "relates" to
the ability of the US to protect against an actual or potential attack,
sabotage or international terrorism or clandestine intelligence
activities; any info, whether or not concerning a US Person, that
"relates" to the national defense or security or the conduct of foreign
affairs. DOES NOT SUNSET.

4. Disclose Criminal Wiretap Information With Any Government Official,
Including Foreign Intelligence Services

Section 203(b) amends 18 USC §2517. Allows disclosure of contents of
wiretaps or evidence derived therefrom to any other government t
official, including intelligence, national defense and national
security, "to the extent such contents include foreign intelligence or
counterintelligence or foreign intelligence information (see definition
above)

5. General Authority to Disclose

Section 203(d). Notwithstanding other law, lawful for foreign
intelligence or counterintelligence or foreign intelligence information
(see definition above) to be disclosed to anyone to assist in
performance of official duties.

USAPA Sec. 504 also authorizes general coordination between law enforcement and FISA surveillance.

F. FISA

1. Intercept orders: adds "roving wiretap" authority to FISA.

USAPA §206 amends 50 USC §1805. FISA court now may authorize intercepts
on any phones or computers that the target may use. The foreign
intelligence authorities can require anyone to help them wiretap.
Previously they could only serve such orders on common carriers,
landlords, or other specified persons. Now they can serve them on
anyone and the Order does not have to specify the name of the person
required to assist. No requirement that request for authority identify
those.

Roving wiretap authority raises serious Fourth Amendment problems
because it relaxes the "particularity" requirements of the Warrant
Clause. Such authority already exists under Title III.
Increases duration of FISA intercept orders. USAPA §207 amends 50 USC
§1805(e)(1) concerning surveillance on agents of a foreign power (not
US persons) from 90 to 120 days.

2. FISA search warrants

Extend time for surveillance. USAPA §207 amends 50 USC §1824(d) for judicially authorized physical searches
to a) 90 days (up from 45), or b) if agent of a foreign power (employee or member of
a foreign power but not US persons), 120 days.

3. FISA pen/trap orders

ARE
concerning a US person, and to protect against international terrorism
or clandestine intelligence activities, provided that such
investigation is not conducted solely upon the basis of 1st Amendment
activities.

4. FISA subpoenas and similar authorities

Broad authority for compelling business records. Under current law,
only records of common carriers, public accommodation facilities,
physical storage facilities and vehicle rental facilities can be
obtained with a court order.

USAPA 215: Amends 50 USC §1862 to allow application to FISA court for
an order to compel the production of any business record from anyone
for any investigation to protect against international terrorism or
clandestine intelligence activities (but cannot investigate a US person
solely for First Amendment activities).

No showing needed that the person is the agent of a foreign power.

Order to a court--MUST be granted if application meets requirements

Order won't say that it is under this section

Persons served by it are gagged

Semiannual
list of applications and list granted, denied but no reporting of
actual documents seized or their usefulness required to court or to
Congress.

G. Other changes related to surveillance

1. New surveillance of communications "relevant" to computer trespasser investigation

USAPA sec. 217; Changes to 18 USC § 2510. In addition to the three
traditional forms of surveillance, the USAPA adds another area where
any government employee, not just law enforcement, may conduct content
surveillance of US persons. This is when computer owner and operator
"authorizes" surveillance and law enforcement agent "has reasonable
grounds to believe contents of communication will be relevant" to
investigating computer trespass and does not acquire anyone else's
communications.

Allows interception of messages suspected of being sent through a computer without "authorization."

The term "authorization" is not
defined, giving the owner/operator of protected computer and the
government agent great discretion.

BUT this does not include someone who is known to have
an existing contractual relationship to access all or part of the
computer. According to DOJ, ISP customers who send spam in violation of
ISP's terms of service would not be trespassers.

2.Civil liability for certain unauthorized disclosures.

USAPA sec. 223. This provision provides a small bit of relief for those
who discover that law enforcement or the foreign intelligence
authorities have disclosed information about them improperly.

Allows Administrative discipline. Amends 18 USC §§ 2520, 2707

Allows
§2712 Civil actions with a $10,000 recovery limit, but only for willful
disclosures. [It's a $10K statutory damages minimum ("actual damages,
but not less than $10,000, whichever amount is greater")]

3. Disclosure of Educational Records. amends 20 USC §1232g.

USAPA sec. 507-8.

Upon written application to a court
(pen/trap standard), the Attorney General may require an educational
agency to collect educational records "relevant" to an authorized
investigation of a listed terrorist offense or "domestic or
international terrorist offense." If application correct, court shall
grant. (pen/trap standard)

4. Similarly expands quasi-subpoena power for many other records.

III. Changes With Little Relationship to Fighting Terrorism.

The EFF is also deeply dismayed to see that the Attorney General
seized upon the legitimate Congressional concern following the
September 11, 2001 attacks to pad the USAPA with provisions that have
at most, a tangential relationship to preventing terrorism. Instead,
they appear targeted at low and mid-level computer defacement and
damage cases which, although clearly criminal, are by no means
terrorist offenses and have no business being included in this bill.

A. Computer Fraud and Abuse Act (CFAA 18 USC § 1030).

The CFAA provides for civil and criminal liability for acts exceeding
the "authority" to access or use a computer connected to the Internet.
It is used to prosecute those engaging in computer graffiti, website
defacement and more serious computer intrusion and damage. It has also
been applied in civil cases to spammers and those sending unwanted bots
to gather information from the websites of others. The USAPA makes
several changes to this law, none of which seems aimed at preventing or
prosecuting terrorist offenses -- which are separately defined and
already include the use of computers to commit terrorism . An earlier
version of the bill would have made many violations of the statute
"terrorist" offenses. After outcry from EFF members and many others,
most, but not all see below, of the offenses under §1030 were removed
from the "terrorist" definition. However, instead the penalties and
scope of §1030 were greatly expanded. The changes include:

Adds an "attempt to commit an offense"
under §1030 to the list of illegal activities with the same penalties
as an offense. Sec. 814.

The law now applies if the damage is done to computers outside the US that affect US Interstate commerce. Sec. 814

Includes
state court convictions under similar statutes as priors for purposes
of a second conviction with increased penalties. Sec. 814.

Increases penalties for violations of the statute. Sec. 814(1)

"Loss" under the statute now expressly includes time spent
responding and assessing damage, restoring data, program, system or
information, any revenue lost, cost incurred or other consequential
damages. Sec. 814.

B. Computer Crimes under CFAA Defined as "Terrorist Offenses"

As far as the investigation has revealed so far, computer crime played
no role in the September 11, 2001 attack or in any previous terrorist
attacks suffered by the United states. Computer crime, especially when
it results in danger to lives, is a serious offense, the USAPA adds it
to the list of "terrorist offenses." Although it is obviously possible
that a computer crime in the future could be part of a terrorist
offense, the definition of "terrorism" already includes murder,
hijacking, kidnapping and similar crimes that would be the result of a
"cyberterrorist" attack. Yet without explanation, early versions of the
USAPA included even low level computer intrusion and web defacement as
"terrorist offenses." The final bill was not so draconian, but still
includes the following (among others unrelated to computer crime) as a
"terrorist offense" under 18 USC §2332b(g)(5)(B):

An act calculated to influence or affect
the conduct of government by intimidation or coercion or to retaliate
against government conduct (this lsnguage was in existing law AND
EITHER

violates 18 USC §1030(a)(1) accessing restricted or
classified information on computers that require protection for reasons
of national security, national defense or §11(y) of Atomic Energy Act
of 1954 with reason to believe could that the information could injure
US or advantage a foreign nation, and who willfully communicates the
information to one not entitled to it, OR

affects
computer system used by or for a government entity in furtherance of
the administration of justice, national defense, or national security.

If an offense is a federal terrorism offense per 18 USC 2332b(g)(5)(B):

RICO procedures apply. Sec. 813. This
includes seizure of assets pre-conviction, forfeiture post-conviction
and many other procedural provisions previously applicable just to
organized crime and the drug war.

8 year statute of limitation §3286 (sec. 809)

Alternate maximum penalties (sec. 810) 15 year max penalty 810(c)(1) and if death of a person results, for any term or for life.

Included in 803: harboring or concealing terrorists

Included in 805: Material support 18 USC 2339A

806
Assets: "of any individual, entity or organization engaged in planning
or perpetrating any act of domestic or international terrorism" and all
assets, "affording any person a source of influence over any such
entity or organization."

USAPA sec. 805. Amends 18 USC 2339A. Material support
for terrorists now includes "expert advice or assistance"; e.g.,
biochemist's advice on how to increase lethality of biological agents.

Previous 2339A included "training"; statute requires "knowing or
intending that they [material support or resources] are to be used in
preparation for, or in carrying out, a violation . . .. [of, inter
alia, 2332b] -- so this requires knowing or intentional facilitation.

Under 2339A facilitator may be culpable whether or not underlying
offense committed; also, scienter does not require "specific intent to
commit the underlying action," but only knowledge that "are to be used"
for a specified offense -- however, normally this is interepreted to
mean that facilitator "aware that that result is practically certain to
follow from his conduct.'" If a facilitator was virtually certain that
particular recipients would in fact use the provided resources to
commit a terrorist crime, it would be immaterial whether the
facilitator knew precisely when or where the criminal conduct would
occur. Major First Amendment problem for information otherwise
available in the public domain.

IV. Sunset Provisions

USAPA sec. 224. Several of the surveillance portions of the USAPA will expire on December 31, 2005.

The EFF is pleased that at least some of the more severe changes in
the surveillance of U.S. persons contained in the USAPA will expire on
December 31, 2005 unless renewed by Congress. We are concerned,
however, that there is no way for Congress to review how several of
these key provisions have been implemented, since there is no reporting
requirement to Congress about them and no requirements of reporting
even to a judge about several others. Without the necessary information
about how these broad new powers have been used, Congress will be
unable to evaluate whether they have been needed and how they have been
used in order to make an informed decision about whether and how they
should continue or whether they should be allowed to expire without
renewal.